Total
64 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13161 | 2025-03-11 | 9.8 Critical | ||
| Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | ||||
| CVE-2024-13159 | 2025-03-11 | 9.8 Critical | ||
| Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | ||||
| CVE-2024-13160 | 2025-03-11 | 9.8 Critical | ||
| Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | ||||
| CVE-2024-10811 | 2025-03-08 | 9.8 Critical | ||
| Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | ||||
| CVE-2024-48248 | 2025-03-04 | 8.6 High | ||
| NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials). | ||||
| CVE-2023-40597 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2025-02-28 | 7.8 High |
| In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk. | ||||
| CVE-2024-6097 | 1 Progress | 1 Telerik Reporting | 2025-02-24 | 5.3 Medium |
| In ProgressĀ® TelerikĀ® Reporting versions prior to 2025 Q1 (19.0.25.211), information disclosure is possible by a local threat actor through an absolute path vulnerability. | ||||
| CVE-2023-1176 | 1 Lfprojects | 1 Mlflow | 2025-02-19 | 3.3 Low |
| Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2. | ||||
| CVE-2025-0001 | 2025-02-18 | 6.5 Medium | ||
| Abacus ERP is versions older than 2024.210.16036, 2023.205.15833, 2022.105.15542 are affected by an authenticated arbitrary file read vulnerability. | ||||
| CVE-2024-2362 | 3 Linux, Lollms, Microsoft | 3 Linux Kernel, Lollms Web Ui, Windows | 2025-02-13 | 9.1 Critical |
| A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises from the lack of adequate sanitization of user-supplied input in the 'del_preset' endpoint, where the application fails to prevent the use of absolute paths or directory traversal sequences ('..'). As a result, an attacker can send a specially crafted request to the 'del_preset' endpoint to delete files outside of the intended directory. | ||||
| CVE-2025-0851 | 2025-02-12 | 9.8 Critical | ||
| A path traversal issue in ZipUtils.unzip and TarUtils.untar in Deep Java Library (DJL) on all platforms allows a bad actor to write files to arbitrary locations. | ||||
| CVE-2024-57966 | 2025-02-09 | 5 Medium | ||
| libarchiveplugin.cpp in KDE ark before 24.12.0 can extract to an absolute path from an archive. | ||||
| CVE-2018-20250 | 1 Rarlab | 1 Winrar | 2025-02-07 | 7.8 High |
| In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path. | ||||
| CVE-2024-29053 | 1 Microsoft | 1 Defender For Iot | 2025-01-23 | 8.8 High |
| Microsoft Defender for IoT Remote Code Execution Vulnerability | ||||
| CVE-2024-21323 | 1 Microsoft | 1 Defender For Iot | 2025-01-23 | 8.8 High |
| Microsoft Defender for IoT Remote Code Execution Vulnerability | ||||
| CVE-2024-1703 | 1 Crmeb | 1 Crmeb | 2025-01-03 | 3.5 Low |
| A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been classified as problematic. This affects the function openfile of the file /adminapi/system/file/openfile. The manipulation leads to absolute path traversal. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254391. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-56321 | 2025-01-03 | 3.8 Low | ||
| GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available. | ||||
| CVE-2023-36786 | 1 Microsoft | 1 Skype For Business Server | 2025-01-01 | 7.2 High |
| Skype for Business Remote Code Execution Vulnerability | ||||
| CVE-2023-32054 | 1 Microsoft | 11 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 8 more | 2025-01-01 | 7.3 High |
| Volume Shadow Copy Elevation of Privilege Vulnerability | ||||
| CVE-2024-12643 | 2024-12-16 | 8.1 High | ||
| The tbm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system. | ||||